GDPR Compliance

Last updated: 11 April 2026

School IQ Labs Ltd ("we", "us") is committed to protecting personal data and ensuring compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how StaffIQ supports schools in meeting their data protection obligations and the measures we take as a data processor.

1. Our Role Under GDPR

Under UK GDPR, the roles are clearly defined:

  • Data Controller: Your school, trust, or educational organisation. You determine the purposes and means of processing staff personal data.
  • Data Processor: School IQ Labs Ltd. We process personal data on your behalf, strictly in accordance with your instructions and our Data Processing Agreement (DPA).

This distinction is important: while we provide the technology and safeguards, your organisation remains responsible for ensuring a lawful basis for processing and for responding to data subject requests.

2. Lawful Basis for Processing

As a data processor, we act on the instructions of our Customers. Schools typically rely on the following lawful bases for processing staff data in StaffIQ:

  • Legal obligation (Article 6(1)(c)): Schools are required by law to maintain a Single Central Record of pre-employment checks (Keeping Children Safe in Education, Education Act 2002).
  • Contract performance (Article 6(1)(b)): Processing necessary for the employment contract (payroll, contract management, HR administration).
  • Legitimate interests (Article 6(1)(f)): Workforce planning, analytics, and operational management, where balanced against the rights of data subjects.
  • Consent (Article 6(1)(a)): Where applicable, such as for optional demographic monitoring.

3. Data Minimisation and Purpose Limitation

StaffIQ is designed with data minimisation in mind:

  • We only collect data fields that are necessary for compliance and HR management
  • Customers control which optional fields are enabled through custom field settings
  • Data is only used for the purposes specified in our DPA and Privacy Policy
  • Configurable data retention policies allow Customers to define how long records are kept after staff departure

4. Data Subject Rights

StaffIQ includes features to help Customers respond to data subject requests:

  • Right of Access (Article 15): Customers can export a complete staff record, including all compliance data and uploaded documents, to fulfil Subject Access Requests (SARs).
  • Right to Rectification (Article 16): Staff records can be edited at any time to correct inaccurate data.
  • Right to Erasure (Article 17): Customer administrators can permanently delete staff records. Note that some data may need to be retained for legal compliance (e.g. safeguarding records as required by KCSiE).
  • Right to Restriction (Article 18): Records can be archived to restrict ongoing processing while retaining the data.
  • Right to Data Portability (Article 20): Data can be exported in standard formats (CSV, Excel) for transfer to another system.

Data subject requests should be directed to your school or trust (the data controller) in the first instance. We will assist Customers in responding to requests as required under our DPA.

5. Technical and Organisational Measures

We implement the following measures in accordance with Article 32 of UK GDPR:

5.1 Encryption

  • All data is encrypted in transit using TLS 1.2 or higher
  • Data at rest is encrypted using AES-256
  • Database connections are encrypted

5.2 Access Controls

  • Role-based access control (RBAC) with four permission levels: Super Admin, School Admin, HR Manager, and Viewer
  • Multi-school organisations can restrict user access to specific schools
  • All user actions are logged in a comprehensive audit trail

5.3 Tenant Isolation

  • Each organisation's data is logically isolated at the application and database level
  • No organisation can access another organisation's data under any circumstances
  • All database queries are automatically scoped to the authenticated user's organisation

5.4 Audit Logging

  • Every create, update, delete, and view action is logged with timestamp, user, and IP address
  • Audit logs are immutable and retained for the duration specified in the DPA
  • Sensitive field values (e.g. NI numbers, salary) are not logged — only field names

6. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify affected Customers without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide all information necessary for the Customer to fulfil their obligations to notify the ICO and affected data subjects
  • Cooperate fully with any investigation and remediation efforts
  • Document the breach, its effects, and the remedial actions taken

7. International Data Transfers

Our primary infrastructure is hosted in the United Kingdom. Where personal data is transferred outside the UK (for example, to sub-processors), we ensure appropriate safeguards are in place:

  • UK International Data Transfer Agreements (IDTAs) with all relevant sub-processors
  • Reliance on adequacy decisions where available
  • Transfer impact assessments conducted for all international transfers

8. Data Protection Impact Assessments

We have conducted a Data Protection Impact Assessment (DPIA) for the StaffIQ platform. We recommend that Customers also conduct their own DPIA when implementing StaffIQ, particularly given the volume of staff personal data processed. We are happy to support this process.

9. Sub-Processors

We engage a limited number of sub-processors to deliver the Service. All sub-processors are bound by data processing agreements that impose equivalent obligations to those in our DPA. We will notify Customers of any changes to our sub-processor list with at least 30 days' notice. A current list is available upon request.

10. Data Processing Agreement

We provide a comprehensive Data Processing Agreement to all Customers. The DPA covers all requirements of Article 28 of UK GDPR, including:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the data controller
  • Sub-processor management
  • International transfer safeguards
  • Data deletion and return upon termination

For a copy of our DPA, please see our Data Processing Agreement page or contact us.

11. Contact Us

For questions about our GDPR compliance or to request a copy of our DPA, please contact:

School IQ Labs Ltd
Suite RA01, 195-197 Wood Street
London, E17 3NU
United Kingdom
Email: privacy@staffiq.app

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.